RHSA-2022:0431 - Security Advisory

Topic

Updated images are now available for Red Hat Advanced Cluster Security for
Kubernetes (RHACS). The updated image includes a bug fixes, security patches and new feature enhancements.

Red Hat Product Security has rated this update as having a security impact
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which
gives a detailed severity rating, is available for each vulnerability from
the CVE link(s) in the References section.

Description

New features
1. Vulnerability triage workflows - RHACS 3.68 includes the ability to triage vulnerabilities in a variety of ways to support your vulnerability management process. See Managing vulnerabilities for more information.
2. Report scheduling for vulnerabilities - RHACS 3.68 includes the ability to schedule reports for vulnerabilities helping you to send scheduled communications to key stakeholders to assist in the vulnerability management process. See Reporting vulnerabilities to teams for more information.
3. Use AWS ECR AssumeRoles - AWS AssumeRoles allows you to define roles with specific permissions and then granting users access to those roles. {product-title} 3.68 includes the ability to use AWS ECR AssumeRoles to configure roles and grant various levels of access to users. For more details, see Using assumerole with Amazon ECR.

Important bug fixes

1. Previously, searching for CVE’s with a specific severity did not returned any results. This issue has been fixed.
2. Previously, when configuring the Manage Watches feature, if you added more than 12 images to the watch list, the image list would not display properly. This issue has been fixed.
3. Previously, when the RHACS Operator accessed the central-htpasswd secret, it would create a false positive policy violation for the OpenShift: Advanced Cluster Security Central Admin Secret Accessed default policy. This issue has been fixed.

Security update

1. In earlier versions of RHACS, the write permission for the APIToken resource allowed users to create API tokens for any role, including the admin role. This issue has been fixed.
2. The scanner image has been updated to patch CVE-2021-29923.

• golang: net: incorrect parsing of extraneous zero characters at the

beginning of an IP address octet (CVE-2021-29923)

Important system changes

1. RHACS 3.68 includes updates for the Log4Shell vulnerability detection policy. With this update this policy also detects CVE-2021-45046 and it includes the updated remediation based on the latest guidance by the Apache Logging security team.
2. When you upgrade to RHACS 3.68, roles that include write access on the Images resource will have write permissions for both VulnerabilityManagementRequests and VulnerabilityManagementApprovals resource. Red Hat recommends updating the roles to only include the least amount of resources required for each role.
3. If you have installed RHACS using Helm, this update disabled the cluster configuration options in the {product-title-short} portal. You can continue to use Helm configuration files.
4. RHACS 3.68 sends notifications for every runtime policy violation rather than sending notifications only the first encountered violation. This is the default behavior.
5. Tags of the scanner, scanner-db, and collector images, including the collector-slim variant, are now identical to the main image tag.
6. Red Has changed the image names for collector-slim. -slim is no longer part of the image tag.
7. The roxctl CLI includes a new --image-defaults option for the roxctl helm output and roxctl central generate commands. It allows selecting the default registry from which container images are taken for deploying central and scanner.
8. Red Hat has deprecated the --rhacs option for the roxctl helm output command. Use --rhacs-image-defaults option instead.
9. By default, the roxctl helm output command now uses the images from registry.redhat.io rather than stackrox.io.

Solution

To take advantage of the new features, bug fixes and security patches issued in 3.68 you are advised to upgrade to patch release 3.68.0.

Affected Products

• Red Hat Advanced Cluster Security for Kubernetes 3 x86_64

Fixes

• BZ - 1992006 - CVE-2021-29923 golang: net: incorrect parsing of extraneous zero characters at the beginning of an IP address octet
• RHACS-94 - stackrox.io is still default image source in output of "roxctl central generate"
• RHACS-110 - Release RHACS 3.68.0

CVEs

• CVE-2021-3712
• CVE-2021-29923
• CVE-2021-42574

References

• https://access.redhat.com/security/updates/classification/#moderate